Portland VA hospital mistakenly posts vets' personal data online

by Michael Milstein, The Oregonian
Saturday November 01, 2008, 9:38 PM

Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday.

The breach also involved patient information from other VA hospitals around the country, but Portland VA spokesman Mike McAleer did not know how many patients were affected nationally.

The affected Portland patients had stayed in local lodging at the VA's expense while undergoing treatment at the Portland VA Medical Center, McAleer said. Most were from Oregon.

The VA is offering affected patients free credit monitoring and fraud alert services, a step that Congress required in 2006 after previous data security lapses at the VA.

The disclosure did not include Social Security numbers of all 1,600 patients, McAleer said. In some cases, only patient names or partial names were posted online. He did not have a breakdown of how many Social Security numbers were released.

No medical information was disclosed, he said.

The release occurred when the VA inadvertently included personal patient information in agency financial records transferred to the federal Web site USAspending.gov, McAleer said. The site allows the public to search for details of government contracts and spending.

He said the records transferred involved the VA's spending on behalf of patients at local hotels.

VA officials removed the information from the Internet as soon as they realized it was there, but McAleer did not know how long the information was publicly available.

The Portland VA began notifying affected patients about the lapse by letter a little more than a week ago. "We sincerely apologize for any inconvenience or worry this may have caused you," said one letter from David Stockwell, acting director in Portland.

VA patient Mary Birmingham of Wilderville, near Grants Pass, received a letter last week saying that her Social Security number had been disclosed. She said she had resisted VA suggestions that she access her records on the Internet because she feared such a lapse.

"I have never felt like it was secure enough to be doing that," she told The Oregonian. "I feel even less secure about it now."

The letters from the VA explain to patients how to sign up for a credit monitoring service free for one year to detect any evidence of identity theft.

In 2006, Congress required the VA to provide such services when patient data are compromised. The VA also must provide identity theft insurance and fraud alerts, which are notices on people's credit reports requiring institutions to check with them before issuing credit cards or other credit.

Congress passed the law after a laptop computer containing the names and Social Security numbers of 26.5million veterans and 2.2 million members of the National Guard and Reserve was stolen from the home of a VA employee in 2006.

The same law required the VA to use encryption to better protect personal patient data and to centralize its information security systems. After the 2006 incident, all VA employees also received training in the proper handling of sensitive information.


Michael Milstein: 503-294-7689; michaelmilstein@news.oregonian.com